Add support for Xen ocontext records to enable device polices. The default policy will not be changed and instructions have been added to enable the new functionality. Examples on how to use the new policy language have been added but commented out. The newest version of checkpolicy (>= 2.0.20) and libsepol (>= 2.0.39) is needed in order to compile it. Devices can be labeled and enforced using the following new commands; pirqcon, iomemcon, ioportcon and pcidevicecon. Signed-off-by : George Coker <gscoker@alpha.ncsc.mil> Signed-off-by : Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> --- docs/misc/xsm-flask.txt | 64 ++++++++++++++++++++++++ tools/flask/policy/Makefile | 20 ++++++- tools/flask/policy/policy/modules/xen/xen.if | 31 +++++++++++ tools/flask/policy/policy/modules/xen/xen.te | 35 +++++++++++++ xen/xsm/flask/avc.c | 2 xen/xsm/flask/hooks.c | 31 ++++++++--- xen/xsm/flask/include/avc.h | 6 -- xen/xsm/flask/ss/policydb.c | 71 +++++++++++++++++++++++++-- xen/xsm/flask/ss/policydb.h | 23 ++++++-- xen/xsm/flask/ss/services.c | 9 +-- 10 files changed, 263 insertions(+), 29 deletions(-) _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel